Antlr4BuildTasks icon indicating copy to clipboard operation
Antlr4BuildTasks copied to clipboard
verified publisher icon kaby76

HIGH SEVERITY CVE in Nuget dependencies

Open smaillet opened this issue 2 months ago • 2 comments

There is a CVE vulnerability (DOS) in the dependencies. Unfortunately overrides in the project or central package management don't work for build only dependencies. Thus, this is reported in the UI but NOT fixable by anyone except the package owner.

smaillet avatar Oct 28 '25 00:10 smaillet

Seems that PR #102 is resolving the CVE, but there is no NuGet publication yet.

smaillet avatar Oct 28 '25 00:10 smaillet

An update has just been released and I can confirm this fixes the issue. Thanks very much!

jbartlau avatar Oct 28 '25 07:10 jbartlau

Any ideas on if/when the nuget will be released?

eugenelepekhin avatar Nov 16 '25 05:11 eugenelepekhin

Any ideas on if/when the nuget will be released?

It's in 12.11 Antlr4BuildTasks. The fix was here: https://github.com/kaby76/Antlr4BuildTasks/blob/ab3340b3f0b2036cb12a4c5d75c624707b34ec0e/Antlr4BuildTasks/Antlr4BuildTasks.csproj#L49

kaby76 avatar Nov 16 '25 11:11 kaby76